Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
We are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.Read the full edition
Amy Land-Pejoska - Associate - Digital & Data
Zil Ur Rehman - Senior Associate - Digital & Data
Cybersecurity can be summarised as the use of technology, and other measures, to ensure the safety of data and computer systems from incidents, both accidental and deliberate, that might compromise their integrity. For businesses, cybersecurity is of increasing importance. Besides the operational impact of a cybersecurity incident, such incidents can result in legal liability, reputational damage and financial loss. The urgent need to counter cybersecurity threats has resulted in greater measures being adopted by legislators and regulators around the world, and the situation in Saudi Arabia is no different.
In 2018, Saudi Arabia’s National Cybersecurity Authority (‘NCA’) issued guidelines in the form of Essential Cybersecurity Controls (‘ECC’). In 2019, the local telecoms regulator, the Communication and Information Technology Commission (‘CITC’), proposed a cybersecurity framework, the Cybersecurity Regulatory Framework (‘CFR’) for the Information Communications and Technology Sector (‘draft CRF’), aimed primarily at the telecommunications industry.
This article outlines the NCA’s ECC, and the proposed CRF for the Information Communications and Technology Sector.
The ‘NCA Regulation’ (the Regulation of the National Cybersecurity Authority, approved by Royal Decree No. 6801 dated 11/2/1439H (31 October 2017)) sets out the key features and responsibilities of the NCA. These include:
In 2018, the NCA published the ECC the minimum cybersecurity requirements for Saudi government organisations (including ministries, authorities, establishments and others) and its companies and entities, as well as private sector organisations owning, operating or hosting critical national infrastructure. The NCA encourages all other organisations in Saudi Arabia to utilise the ECCs to improve their cybersecurity.
The ECCs consist of 114 cybersecurity controls, linked to national and international regulatory requirements, structured into five main domains, comprising:
The ECC’s governance requirements contemplate the development and implementation of a cybersecurity strategy that contributes to compliance with relevant laws and regulations. They set out the personnel, processes and other steps that organisations, that are subject to the ECCs, need to put in place to achieve effective cybersecurity.
Cybersecurity roles and responsibilities are to be set out clearly and kept up to date. Cybersecurity is to be managed with the support of an ‘organisation head’, delegated to oversee the organisation’s cybersecurity strategy. Cybersecurity policies and procedures are to be adopted, supported by technical security standards and kept up to date. A risk management process is to be documented and implemented at key risk points and reviewed as necessary.
Project and change management present a cybersecurity risk for organisations. The ECCs require the adoption of cybersecurity policies and procedures relating to these activities. Personnel can also represent a significant risk to cybersecurity. Protocols to ensure that these risks are managed must be in place. Examples include employee vetting and cybersecurity awareness and training.
Finally, the ECCs require organisations to have a system in place so that cybersecurity controls are reviewed and audited.
Organisations subject to the ECCs need to have physical security and other measures in place to protect their information and technology assets from various threats. As a preliminary step, an inventory of all IT assets should be kept. Only authorised personnel should access information as required to perform their roles and access to other information should be restricted. Unauthorised access should be prevented by having systems to log on and establish credentials.
Organisations are required to take measures to protect information systems against cyber risks. As well as protecting workstations, devices and careful handling of external storage media, the email service and external web applications need to be protected appropriately. Various minimum requirements to manage the security of an organisation’s network are mandated. The use of mobile devices and employees’ own devices pose their own additional cybersecurity risks, and the organisation must define and implement cybersecurity requirements including minimum controls as set out in the ECCs.
Data and information are to be classified and protected accordingly. Encryption is to be used in line with the organisation’s policies and relevant laws, and measures must be in place relating to back-up and recovery. This extends to measures to detect vulnerabilities and conduct penetration testing.
Cybersecurity events are to be logged and analysed, while systems to identify incidents and mitigate their effects must be in place.
Cybersecurity resilience aspects of the ECC’s main controls contemplate the incorporation of cybersecurity resiliency requirements into business continuity processes, thus minimising the impact of cybersecurity incidents on systems, data processing facilities and critical services.
In terms of third-party risks, the ECC’s main controls are focussed on issues relating to outsourcing and managed services, including the need to ensure that outsourcing and managed services follow organisational policies and procedures, as well as related laws and regulations.
With regard to cloud computing, the focus is on protecting cloud-hosted data and IT assets, as well as those processed or managed by third parties. For entities subject to the ECCs, the ECCs contemplate some degree of localisation, in that data hosting and storage sites need to be located in the Kingdom.
Entities subject to the ECCs are required to ensure that industrial control systems are managed appropriately to protect the confidentiality, integrity and availability of their assets against unauthorised access and destruction.
In May 2019, the CITC invited feedback on its draft Cybersecurity Regulatory Framework for the Information Communications and Technology Sector. The draft CRF sets out requirements to increase effectiveness in cybersecurity risk management in line with international best practices. The draft CRF would apply to all service providers licensed by the CITC (i.e. any person licensed by the CITC who either provides a telecommunications service to the public, operates a telecommunications network used by such person or by another person to provide a telecommunications service to the public, or both) their affiliates, staff, related third parties and customers.
The draft CRF contemplates CITC setting security targets by defining compliance levels pursuant to a risk based approach. Each level comprises a set of cybersecurity controls of varying complexity. Fulfilment of the preceding requirements will be necessary to achieve the next level of cybersecurity compliance. The draft CRF contemplates service providers being classified according to criticality in order to determine the applicable target compliance levels:
The essential responsibilities of licensed service providers include measures to be undertaken in the areas of governance, asset management, cybersecurity risk management, logical security, physical security and third party security.
Licensed service providers are required to:
Cybersecurity Risk Management:
Licensed service providers are required to prepare and enforce an appropriate cybersecurity risk assessment approach; and an appropriate approach to monitor and treat cybersecurity risk.
The draft CRF sets out obligations applicable to licensed service providers in developing software applications. These obligations include fulfilling the following requirements:
Licensed service providers will need to protect their information assets against physical damage and threats, manage physical access to facilities hosting such assets, address any environmental threats to such assets, and extend the same protection to such assets located outside their premises.
Third Party Security
The draft CRF proposes making it mandatory for licensed service providers to require third party cloud service providers and third party outsourced service providers to adopt the cybersecurity requirements stipulated by the CITC.
Pursuant to the draft CRF, the CITC will have the overall role of the regulator and will be empowered to monitor and enforce compliance of the stipulated requirements. For such purposes, it may undertake inspections of service provider facilities, carry out workshops for training and awareness, and undertake active and reactive audits. It will also be responsible for setting compliance targets and deadlines.
The draft CRF does not propose any penalties for licensed service providers who may be in violation of the stipulated requirements. Under its founding statute, the CITC is empowered to impose penalties for violations of the laws and regulations pertaining to the telecommunications sector, and we expect that this will provide the basis under which the CRF, if it comes into effect, will be enforced.
The public consultation process on the draft CRF was completed as of June 27, 2019. It is unclear when the finalised version of the draft CRF will become effective, or if any changes will be adopted in the interim. Industry participants are encouraged to watch this space.
Meanwhile, government agencies and critical national infrastructure operators will need to review their cybersecurity arrangements for compliance with the Essential Cybersecurity Controls.
Al Tamimi & Company’s Technology, Media & Telecommunication team regularly advises on regulatory issues concerning technology, telecommunications and cybersecurity in Saudi Arabia and the Middle East. For further information please contact Nick O’Connell (firstname.lastname@example.org), Amy Land Pejoska (email@example.com) or Zil Ur Rehman (firstname.lastname@example.org).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.